A silver ticket is a forged Kerberos service ticket (TGS) encrypted and signed with the target service account’s own secret key. Unlike a golden ticket, which requires the KRBTGT key and a round-trip through the KDC, a silver ticket is constructed entirely offline — no domain controller contact is required at forge time. The ticket grants the bearer access to the specific service identified by the SPN. Because it is never issued by the KDC, the KDC’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
KDCChecksum field cannot be verified by default; the /krbkey flag remedies this by computing the checksum with the KRBTGT key.
Differences from Golden Tickets
| Aspect | Golden Ticket | Silver Ticket |
|---|---|---|
| Signing key | KRBTGT (krbtgt/domain) | Service account key |
| Scope | Any service in the domain | Single service SPN only |
| DC contact required to forge | No | No |
| KDC validates checksum | Yes (KDCChecksum uses KRBTGT) | Only if /krbkey is supplied |
| Detection surface | High (KRBTGT key compromise) | Lower (individual service key) |
Flag Reference
Cryptographic Key (required — pick one)
DES (
des_cbc_md5) key for the service account.RC4/NTLM key for the service account. Alias:
/ntlm.Alias for
/rc4. RC4/NTLM key for the service account.AES-128 key for the service account.
AES-256 key for the service account.
Explicitly specify the encryption type. Accepts
DES, RC4, NTLM, AES128, AES256, or AES.Identity (required)
Username to embed in the ticket PAC. Accepts
DOMAIN\user format; the domain component also sets /domain.Target SPN in
svc/host.domain.com or host@domain.com format. Required. Both /s4uproxytarget and /s4utransitedservices must be supplied together if either is used.LDAP Auto-fill
Query Active Directory over LDAPS (falling back to LDAP) to automatically populate all PAC fields for the specified user, including real group memberships, SID, display name, and password policy timestamps.
Alternate credential username (in
domain.com\user format) for the LDAP query. Must be paired with /credpassword.Password for the alternate LDAP credential specified by
/creduser.Domain and DC
Fully-qualified domain name. Required in explicit mode; optional override in LDAP mode.
Domain SID. Required in explicit mode (without
/ldap).Hostname or IP of the domain controller to use for LDAP queries.
NetBIOS domain name stored in the PAC
LogonDomainName field.KDC Checksum
KRBTGT key used to compute the
KDCChecksum and TicketChecksum in the PAC. When omitted, the service key is used for both checksums and the ticket will fail strict KDC checksum validation.Encryption type for the KDC checksum. Requires
/krbkey. Defaults to AES256.Client Name and Realm Override
Override the client name (
cname) in the ticket. Defaults to the value of /user.Override the client realm (
crealm) in the ticket. Defaults to /domain.S4U Delegation Info
Target SPN for S4U delegation. Adds an
S4UDelegationInfo PAC buffer that mimics a constrained delegation ticket. Must be supplied together with /s4utransitedservices.Comma-separated list of transited services for the
S4UDelegationInfo PAC section. Must be supplied together with /s4uproxytarget.PAC Options
Force inclusion of the new PAC format buffers (
Attributes and Requestor sections). By default for silver tickets these are omitted unless this flag is passed.Exclude the
FullPacChecksum buffer from the forged ticket. Necessary when targeting services on Windows versions that have not yet enforced the full PAC signature requirement (pre-KB5020805 behaviour).Include the extended UPN and DNS info (SAM name and SID) in the
UpnDns PAC buffer.Append authorization-data sections to the ticket, matching the structure of tickets issued by a real KDC with compound identity.
PAC Identity Fields
User RID in the PAC. Defaults to
500.Primary group RID. Defaults to
513 (Domain Users).Comma-separated group RIDs embedded in the PAC.
Comma-separated extra SIDs added to the
ExtraSids PAC field.SID of the resource domain for resource group membership. Must be paired with
/resourcegroups.Comma-separated resource group RIDs within the domain identified by
/resourcegroupsid.Comma-separated
PacUserAccountControl flags. Defaults to NORMAL_ACCOUNT.Comma-separated Kerberos ticket flags. Defaults to
forwardable,renewable,pre_authent.Full display name in the PAC
FullName field.Bad-password count in the PAC.
PAC Logon and Password Timestamps
Last logon time written to the PAC
LogonTime field. Accepts a local-time string (e.g. "01/01/2024 08:00:00").Logoff time written to the PAC
LogoffTime field. Accepts a local-time string.Password last set time written to the PAC
PasswordLastSet field. Accepts a local-time string.Maximum password age in days, used to compute the PAC
PasswordMustChange field relative to /pwdlastset.Minimum password age in days, used to compute the PAC
PasswordCanChange field relative to /pwdlastset.Logon count written to the PAC
LogonCount field.PAC Profile Fields
Home directory path written to the PAC
HomeDirectory field.Home drive letter written to the PAC
HomeDirectoryDrive field (e.g. H:).Profile path written to the PAC
ProfilePath field.Logon script path written to the PAC
LogonScript field.Timestamps
Ticket start time as a local-time string. Defaults to current UTC time.
Ticket end time as a duration relative to start time (e.g.
10h, 7d).Renew-till time as a duration relative to start time.
Authentication time embedded in the ticket.
Generate a series of tickets from
/starttime up to this end point.Interval between tickets when using
/rangeend. Defaults to 1d.Output and Injection
Print a Rubeus command line that reproduces the forged ticket from explicit values, avoiding future LDAP contact.
Write the resulting
.kirbi to this file (suffixed with timestamp and user/service names).Inject the forged ticket directly into the current logon session via LSASS (pass-the-ticket).
Usage Examples
The
/nofullpacsig flag is required when targeting Windows hosts that have not yet applied the enforcement phase of the PAC signature hardening update (KB5020805). From the November 2023 enforcement deadline onward, domain controllers reject service tickets whose FullPacChecksum is missing or invalid, so omitting /nofullpacsig on patched environments will cause the ticket to be rejected. Use /krbkey to supply the KRBTGT key and generate a correctly signed FullPacChecksum when targeting fully patched environments.